As connected devices have become ever-present in our lives, the need for robust embedded security has never been greater. In a recent Let’s Talk Technical roundtable with top embedded and micro suppliers, I spoke with experts from Analog Devices, STMicroelectronics, NXP, and Microchip Technology to hear their perspectives on the evolving landscape of embedded security and its critical role in today’s connected world.
While data centres operate in controlled environments with physical safeguards, embedded devices operate in vehicles, home appliances, and medical devices ‘in the wild’. They require robust, decentralised protection strategies, unlike centralised data centres, which can be vulnerable to physical tampering like side channel attacks. The decentralised nature of embedded devices demands security that is built in from the start, not bolted on later.
Let’s dive into some insights on securing embedded systems, navigating new global regulations, advanced concepts, and more.
The Cyber Resilience Act: raising the bar
Carlos Serratos from NXP explained how the Cyber Resilience Act (CRA) shifts accountability to manufacturers. Adhering to the CRA impacts manufacturers across the globe, not just in Europe. It requires risk assessments for hardware and software, countermeasures against identified threats and vulnerability reporting throughout the product lifecycle. This ensures every layer of the value chain, from microcontrollers to finished goods, meets new security expectations. Failure to comply can lead to penalties and reputational damage, making security a legal obligation rather than just a best practice.
Doug Gardner from Analog Devices added that regulations such as NIST, PSA, IEC 62443, and ISO 21434 are shaping development workflows across industries. Companies must integrate cryptographic primitives, isolation mechanisms, and secure identity management into their engineering processes. To help developers manage these growing requirements, chipmakers are providing tools, SDKs, and lifecycle monitoring solutions that simplify compliance and reduce the risk of implementation errors. This support helps developers integrate security without overwhelming complexity.
Xavier Bignalet from Microchip provided an overview of threat modelling, which defines the risk landscape for each device and application. He explained that modern development must include post-production lifecycle management, ensuring that devices remain secure even after deployment through regular updates, monitoring, and incident response. He stressed that security doesn’t end at deployment. Continuous monitoring, firmware updates, and incident response are essential to maintain resilience against evolving threats.
Secure design principles
Mena Roumbakis from STMicroelectronics underscored that strong security starts early. From the first design phase, developers must conduct risk assessments, follow secure coding practices, implement secure boot and zero-trust systems, confirm supply chain integrity, and maintain documentation to support regulatory compliance. These principles ensure trust from silicon to cloud.
The panel also agreed on the importance of a secure supply chain and the use of zero-trust programming to protect private keys, IP, and firmware from tampering during manufacturing. Gardner also highlighted zero-trust systems and explained how hyperconnected devices must continuously verify trust before exchanging data. As AI and machine learning move to the Edge, ensuring that data remains authentic and reliable becomes even more vital.
Advanced security concepts
The experts also explored Secure Enclave technologies, isolated hardware environments designed to safeguard critical keys and processes. NXP, Microchip, Analog Devices, and STMicroelectronics each implement this concept differently through terms like Crypto Authentication, Trusted Execution Environments (TEE), and TrustZone. Despite different branding, the core principles are similar: protect credentials, enforce trusted execution, and comply with evolving regulations.
The concept of a Secure Enclave is central to modern embedded security. It acts as an isolated environment within a processor, similar to a hotel safe, designed to protect sensitive data and execute critical security functions. It combines hardware and software mechanisms, including hardware isolation, secure execution environment, secure boot and authentication, cryptographic processing, and run-time integrity monitoring.
These solutions physically and logically isolate sensitive operations from general processing, reducing the attack surface and ensuring a hardware-based root of trust. As AI and machine learning move to the Edge, ensuring data authenticity and integrity becomes even more critical.
Panel members emphasised that complexity is the enemy of security, underscoring the importance of isolation and layered defences. Large systems, such as operating systems, inevitably contain flaws, so critical assets like encryption keys must be stored in highly secure environments to prevent catastrophic ‘break one, break all’ attacks. Real-world examples, such as vehicles being hacked remotely through entertainment systems, highlight the importance of these measures.
While the concept of isolation is not new – credit card chips, SIM cards, and TPMs have used it for decades – it is now being extended across industries. Technologies like ARM TrustZone add another layer by creating hardware-enforced secure states for running critical code, complementing dedicated secure elements for maximum protection.
The bottom line
Wrapping up, Bignalet emphasised the legal and operational consequences of noncompliance. Organisations that fail to design security into their products risk not only breaches but also potential litigation under new global standards. Security is no longer optional – it’s a legal, operational, and ethical necessity. The industry is aligning to build trust at every layer of connectivity, ensuring resilience in an increasingly connected world.
For more information and to view the entire Let’s Talk Technical discussion, visit DigiKey.com.
About the author:
Shawn Luke is a Technical Marketing Engineer at DigiKey. DigiKey is recognised as the global leader and continuous innovator in the cutting-edge commerce distribution of electronic components and automation products worldwide, providing more than 17 million components from over 3,000 quality name-brand manufacturers.
